|
|
|
userinit.exe and rundll32.exe problems
|
|
|
lawyerjim
Junior Member
|
23. July 2008 @ 04:06 |
Link to this message
|
Windows XP on Sony Vaio PC
This was my personal computer that I used with no problems. I bought a new one and gave this one to my teenager and he downloaded everything he could find until it's so screwed up that I want to throw it out the window. (him too)
When I turn on the computer, I get a box that says "userinit.exe - Application Error" so I have to click OK to terminate it.
Next, I have to cntrl, alt, del then run explorer.exe
Then I get a box that says "rundll32.exe - Application Error" so I have to click on OK to terminate it.
Even when I make it to the desktop, there are so many things that don't work such as I can't change the wallpaper, screen resolution, clock, or open "add or remove programs". Each time I try to access one of those programs, I get the Rundll32 box again.
Where do I start to get things going again without a complete reinstall. I don't want to do that unless I have to because I have a lot of software on it that I no longer have access to the disks.
Thank you,
Jim
|
|
Advertisement
|
 |
|
|
AfterDawn Addict
|
23. July 2008 @ 17:14 |
Link to this message
|
Hello lawyerjim,
My handle is 2oldGeek and I will help you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic; I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
The best way to attack this seemingly overwhelming problem is to take it One Byte at a time?.
First, I hope you have Safe mode. I believe that would be the best way to start because the malware will not start up in Safe Mode.
If for some reason you cannot enter the Safe Mode, we may have to come up with an alternate plan.
This may take you several tries so it may be a good idea, if you can, to print out these instructions before starting..
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode with Networking".
Now we will download 3 programs to start the cleaning process.
Please download ATF Cleaner by Atribune & save it to your desktop.
Next download SDFix and save it to your Desktop.
Next please download Malwarebytes' Anti-Malware to your desktop.
Double-click ATF-Cleaner.exe to run the program.
? Under Main "Select Files to Delete" choose: Select All.
? Click the Empty Selected button.
? If you use Firefox browser click Firefox at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? If you use Opera browser click Opera at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? Click Exit on the Main menu to close the program.
Double-click mbam-setup.exe and follow the prompts to install the program.
? At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
? If an update is found, it will download and install the latest version.
? Once the program has loaded, select Perform full scan, then click Scan.
? When the scan is complete, click OK, then Show Results to view the results.
? Be sure that everything is checked, and click Remove Selected.
? When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
? Please post contents of that file in your next reply.
Double click SDFix.exe and it will extract the files to the drive that contains the Windows Directory, typically C:\SDFix
Open the extracted SDFix folder and double click RunThis.bat to start the script.
? Type Y to begin the cleanup process.
? It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
? Press any Key and it will restart the PC.
? When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
? Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
? Please post contents of that file in your next reply.
Reboot to Normal Mode:
Hopefully, now you will be able to do some work in the normal mode?.
Make a HijackThis Log
Let?s get the latest version of Hijack this and rename it.
Rename it? Yes, Malware recognizes the name HijackThis and Hides from it..
Download and rename TrendMicro HijackThis.exe (HJT)
? Double-click on HJTInstall.
? Click on the Install button.
? It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
? Upon install, HijackThis should open for you.
? Close HijackThis and rename it.
? Go to C:\Program Files\Trend Micro\HijackThis.exe
? Right click on HijackThis.exe and select Rename.
? Type in scanner.exe and press Enter.
? Right-click on scanner.exe and select Send To > Desktop (create shortcut)
? From the desktop open Hijackthis. (aka scanner)
? Click on the Do a system scan and save a log file button
? Hijackthis will scan and then a log will open in notepad.
? Copy and then paste the entire contents of the log in your post.
? Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Although we have renamed Hijackthis to scanner.exe, we will still refer to it as Hijackthis or HJT.
Please post the HijackThis log, log-date.txt and Report.txt in your next reply.
2oG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...This message has been edited since posting. Last time this message was edited on 23. July 2008 @ 17:21
|
|
lawyerjim
Junior Member
|
23. July 2008 @ 21:37 |
Link to this message
|
Let me start by saying thank you for your help.
I ran ATF and mbam in safe mode. When I try to run SDFix, I get two error messages:
cmd.exe - application error
find.exe - application error
Here is the log file for mbam:
**************
Malwarebytes' Anti-Malware 1.22
Database version: 984
Windows 5.1.2600 Service Pack 2
6:07:22 PM 7/23/2008
mbam-log-7-23-2008 (18-07-22).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 200496
Time elapsed: 1 hour(s), 56 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 157
Registry Values Infected: 9
Registry Data Items Infected: 0
Folders Infected: 22
Files Infected: 145
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d8e5bfb-0cb4-4306-8b6e-f56d857332cf} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2d8e5bfb-0cb4-4306-8b6e-f56d857332cf} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{060bb0ab-4b09-4c51-9ecb-9580a6d08d7f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87862e26-bda0-4a78-b94c-86bcb9428a6f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{87862e26-bda0-4a78-b94c-86bcb9428a6f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e343edfc-1e6c-4cb5-aa29-e9c922641c80} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d8560ac2-21b5-4c1a-bdd4-bd12bc83b082} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{20ea9658-6bc3-4599-a87d-6371fe9295fc} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a16ad1e9-f69a-45af-9462-b1c286708842} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9ccbb35-d123-4a31-affc-9b2933132116} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.lfgax (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{0729f461-8054-47dc-8d39-a31b61cc0119} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{40ca90f3-4098-4877-ae87-23eb612b18c7} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4c3b62af-ca25-4fba-8405-32e44f83bb6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5a635a91-c303-45c9-8db9-f759d98a3b9d} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7e335d04-2e6e-4d0e-a921-c3d9192e7121} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{99ccfb8c-6380-4a14-8fdd-ef3e7e95335d} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b20d7add-989c-4bc0-a797-f6fe7998efd7} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bfc20a15-b0ac-44cc-a25a-a7039014ba9f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f019aec4-4c95-46de-a107-e302473e3b9a} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2d00aa2a-69ef-487a-8a40-b3e27f07c91e} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{86c5840b-80c4-4c30-a655-37344a542009} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b0cb585f-3271-4e42-88d9-ae5c9330d554} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.lfgax.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{eddbb5ee-bb64-4bfc-9dbe-e7c85941335b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{148e1447-c728-48fd-beec-a7d06c5fff58} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8ee46f55-1ce1-4db9-811a-68938ec7f3dd} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a87dfd99-cf81-4241-85ce-881e0026b686} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c96b9fae-a032-4100-bb47-32ef05e28be4} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{14113b47-d59c-4f0f-9d10-ff1730265584} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9c42a57-421c-4572-8b12-249c59183d1c} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{a57470de-14c7-4fcd-9d4c-e5711f24f0ed} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2557dd3f-23a0-477c-bcd8-90fd0aecc4b8} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2893116c-a176-42b1-8794-da8c9fc45564} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{99fdca0c-7380-4e9c-8d99-5dc4750334ef} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b1d9f4b1-b9ff-463f-bf15-ab9cb26160f7} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2aa2fbf8-9c76-4e97-a226-25c5f4ab6358} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{2aa2fbf8-9c76-4e97-a226-25c5f4ab6358} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{2aa2fbf8-9c76-4e97-a226-25c5f4ab6358} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{71f731b3-008b-4052-9ea4-4145acce40c3} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8292078f-f6e9-412b-8eb1-360c05c5ece5} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2447e305-5e90-42a8-bd1e-0bc333b807e1} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{50d2fdcc-2707-49cb-8223-7fe0424909aa} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{878ce013-7ba9-4650-a78c-b2234c0c1648} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a5b6fa30-d317-41ca-9cb1-c898d3c7f34e} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cc19a5f2-b4ad-41d5-a5c9-0680904c1483} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{03d7ff6e-9781-40b5-bb7f-94291a361604} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3ceb04ab-08af-45f4-81b4-70d13c1f7b85} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a7213d71-47e1-4832-92d7-d61dfe9f231f} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf82f350-e1c4-4916-ac12-ba73db60afb7} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c62a9e79-2b52-439b-af57-2e60bb06e86c} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{15fd8424-d12a-4c51-8c6c-d5d57b80f781} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{67b3becf-7b6f-42b2-99f0-f7656f89cffa} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{715ffd42-4e05-4eab-9513-c8daa5395ae2} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{759d6f7c-8d30-45b6-abea-fa51c190eed5} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9a4a64a4-a2fb-48fa-9bba-1ac50267695d} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{62906e60-bce2-4e1b-9ed0-8b9042ee15e4} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f9bfa98d-9935-4ea4-a05a-72c7f0778f02} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{abec1835-3181-4abd-8dde-875aec4df6d2} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0af9a087-0cbf-46b2-9dc9-52d0d16b5ab6} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{69725738-cd68-4f36-8d02-8c43722ee5da} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{69725738-cd68-4f36-8d02-8c43722ee5da} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{a56fe01c-77c4-4f5e-8198-e4b72207890a} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{af55160d-cde1-4a8b-8001-66da06bee740} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{89085678-632d-4deb-bda0-cd912c63203e} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{30b15818-e110-4527-9c05-46ace5a3460d} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{618aad04-921f-44c2-be38-c0818af69861} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5d2ed96-62f9-4c2c-956d-e425b1f67337} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d3a412e8-1e4b-47d2-9b12-f88291f5afbb} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3788e535-897b-463d-b6d6-fee5b86ec144} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3788e535-897b-463d-b6d6-fee5b86ec144} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d3f940ea-4e87-423b-9091-934e1e4fceae} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{d3f940ea-4e87-423b-9091-934e1e4fceae} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shoppingreport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CPV (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\BO1jiZmwnF2zhi (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spcron (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Svconr (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\zangosa (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Zango (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZangoSA (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.clientdetector (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.clientdetector.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.userprofiles (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.userprofiles.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\wallpaper.wallpapermanager (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\wallpaper.wallpapermanager.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\srv.coreservices (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\srv.coreservices.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.webmailsend (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.webmailsend.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.mailanim (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.mailanim.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostie.bho (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostie.bho.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.coreservices (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.coreservices.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\zango (Adware.180Solutions) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{87862e26-bda0-4a78-b94c-86bcb9428a6f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm1faae334 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SfKg6w (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\Zango@Zango.com (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\zango 10.3.65.0 (Adware.Zango) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\Zango (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions\components (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions\plugins (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin\2.5.0 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\CPV (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Svconr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Spcron (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 (Adware.Seekmo) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\wfpqslvq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\amgkdrry.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yrrdkgma.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\auiihlaa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aalhiiua.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bkbelwsk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kswlebkb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bmuitxvr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rvxtiumb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bqamoayx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xyaomaqb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cusqxhrg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\grhxqsuc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cysmocui.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iucomsyc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\edgeewry.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yrweegde.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ejvakrhv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vhrkavje.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fgytrvhp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phvrtygf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fhxkgnnq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qnngkxhf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ftcoojeh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hejooctf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ilrwmwso.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oswmwrli.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jqjpealv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vlaepjqj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mdthxksj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jskxhtdm.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\neenumpv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vpmuneen.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\niugbjnb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bnjbguin.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntacqgwt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twgqcatn.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oolpgnry.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yrngploo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opgwlkij.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jiklwgpo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovrjmrfv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vfrmjrvo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pvxoaxus.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\suxaoxvp.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qacsalmc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cmlascaq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qrbnvpln.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nlpvnbrq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rdpitxtw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wtxtipdr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rmugobnx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xnbogumr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sarbasdp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pdsabras.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spwoocwc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cwcoowps.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ulefidnw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wndifelu.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uujbjnlj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jlnjbjuu.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vnscqmpr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rpmqcsnv.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vxcjeukw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wkuejcxv.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wjbwfqlx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xlqfwbjw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yvuybjfg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gfjbyuvy.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\uaoaiym_navps.dat (Adware.Navipromo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\uaoaiym_nav.dat (Adware.Navipromo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\uaoaiym.dat (Adware.Navipromo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\uaoaiym.exe (Adware.Navipromo) -> Quarantined and deleted successfully.
C:\Program Files\Spcron\Spc.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\CoreSrv.dll (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\3ESQPN6V\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\E8K0ZNY0\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089109.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089111.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089112.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089113.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089117.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089121.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089122.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089123.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089125.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089129.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089131.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089132.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089135.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089137.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089140.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089142.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089143.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089144.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089145.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089147.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089148.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089150.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0089152.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\alxbft.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rxqyuyeq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdodxiov.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Program Files\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\arrow.ico (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\CntntCntr.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\copyright.txt (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\HostIE.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\HostOE.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\HostOL.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\link.ico (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\OEAddOn.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\Srv.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\Toolbar.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\Wallpaper.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\Weather.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\WeSkin.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\ZangoSA.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\ZangoSAAX.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\ZangoSADF.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\ZangoSAHook.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\ZangoUninstaller.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions\chrome.manifest (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions\install.rdf (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions\components\npclntax.xpt (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions\plugins\npclntax_ZangoSA.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Uninst.exe (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSA.dat (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAAbout.mht (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAau.dat (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAEula.mht (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSA_kyf.dat (Adware.Zango) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tpgxfcld.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\BM1faae334.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM1faae334.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
|
|
lawyerjim
Junior Member
|
23. July 2008 @ 21:42 |
Link to this message
|
And here is the Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:07 PM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 74.208.105.45 l2testauthd.lineage2.com
O1 - Hosts: 74.208.105.45 l2authd.lineage2.com
O1 - Hosts: 216.107.250.194 nprotect.lineage2.com
O2 - BHO: (no name) - {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C1E7C0C-731A-4D32-81DF-F8E543CC515E} - (no file)
O2 - BHO: (no name) - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - (no file)
O2 - BHO: (no name) - {13F537F0-AF09-11d6-9029-0002B31F9E59} - (no file)
O2 - BHO: (no name) - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - (no file)
O2 - BHO: (no name) - {1C3DBE98-0102-0DF8-571B-5200B6C28B9B} - (no file)
O2 - BHO: (no name) - {2d8e5bfb-0cb4-4306-8b6e-f56d857332cf} - (no file)
O2 - BHO: (no name) - {3101968F-6388-4AE3-B4F7-B032EBE84908} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5A44119A-2FA0-40EF-9B95-45B751F0D203} - C:\WINDOWS\system32\efcDTNge.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {773275d5-4fc7-4b12-8f7f-62902bbdec32} - (no file)
O2 - BHO: (no name) - {79513ED2-95DE-4C93-AD50-786C46F33F83} - C:\WINDOWS\system32\vtUmNgDW.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8069CE89-0BE4-414F-A66A-07707E4EB50D} - (no file)
O2 - BHO: (no name) - {87862E26-BDA0-4A78-B94C-86BCB9428A6F} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
O2 - BHO: (no name) - {9afdf9ff-5fd3-4c1d-a131-8d521959562b} - (no file)
O2 - BHO: (no name) - {A9AF6784-1235-408D-8927-657A64D804C9} - C:\WINDOWS\system32\xxyyyASI.dll (file missing)
O2 - BHO: (no name) - {B77BD50E-9383-454E-B6AE-8CF6673A6E7A} - C:\WINDOWS\system32\ssqPijjh.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {C5F573EC-F335-483B-99B8-8706BA1F8DA7} - (no file)
O2 - BHO: (no name) - {c688407d-b4b8-44eb-8149-542854193db8} - (no file)
O2 - BHO: (no name) - {cf35f031-b21a-4cf2-bb3e-4dcfa4c4625e} - (no file)
O2 - BHO: (no name) - {F3C77DCA-FA4C-4941-8F9F-31D9228AFCD6} - (no file)
O2 - BHO: (no name) - {F424072E-082C-4171-82E6-4F76711119D5} - (no file)
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\KWorld Multimedia\PVR Plus\TVR\Scheduled.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [1c99d0a8] rundll32.exe "C:\WINDOWS\system32\euadficf.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BM1faae334] Rundll32.exe "C:\WINDOWS\system32\tpgxfcld.dll",s
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Jim\Application Data\Microsoft\Windows\rayiou.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - ?p=ZCfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jim\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://gunfighter.wildwestonline.com
O15 - Trusted Zone: http://www.wildwestonline.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1161833594468
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.com:88/renderer/mabiweb.2007.4.4.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} -
O20 - AppInit_DLLs: jyaywaxg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: hGvTlJCR - hGvTlJCR.dll (file missing)
O20 - Winlogon Notify: jkkKddcd - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - D:\Maya\docs\wrapper.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - D:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 11025 bytes
|
AfterDawn Addict
|
23. July 2008 @ 21:55 |
Link to this message
|
|
Lawyerjim,
Whooooo doggie???? You got a junior Malware Collector on your hands. ; ) lol
That picked up a lot but there is work to be done.
Were you able to run SUPERAntiSpyware? If SDFix will not work in the Safe mode, please just run it in Normal Mode, if you can.
I?ll be here all night so if you can, I can? : D
2oG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
lawyerjim
Junior Member
|
23. July 2008 @ 22:04 |
Link to this message
|
I can not get SDfix to run in normal mode either. I get boxes that pop up that say:
cmd.exe - Application Error
find.exe - Application Error
I am running SuperAntiSpyware right now and will let you know what it says
This message has been edited since posting. Last time this message was edited on 23. July 2008 @ 22:11
|
|
lawyerjim
Junior Member
|
24. July 2008 @ 00:18 |
Link to this message
|
|
SuperAntiSpyware removed 400 files,
Now what?
This message has been edited since posting. Last time this message was edited on 24. July 2008 @ 00:24
|
AfterDawn Addict
|
24. July 2008 @ 00:30 |
Link to this message
|
|
Please send me the SAS LOG file so I can see....
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...This message has been edited since posting. Last time this message was edited on 24. July 2008 @ 00:31
|
|
lawyerjim
Junior Member
|
24. July 2008 @ 02:26 |
Link to this message
|
Here is the SuperAntiSpyware log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 07/23/2008 at 11:08 PM
Application Version : 4.1.1046
Core Rules Database Version : 3513
Trace Rules Database Version: 1504
Scan type : Complete Scan
Total Scan Time : 04:05:29
Memory items scanned : 350
Memory threats detected : 1
Registry items scanned : 6619
Registry threats detected : 38
File items scanned : 163860
File threats detected : 356
Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\JYAYWAXG.DLL
C:\WINDOWS\SYSTEM32\JYAYWAXG.DLL
Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{060BB0AB-4B09-4C51-9ECB-9580A6D08D7F}
C:\WINDOWS\SYSTEM32\IDVNOIHL.DLL
C:\WINDOWS\SYSTEM32\LIATVF.DLL
C:\WINDOWS\SYSTEM32\RXMDFWAI.DLL
C:\WINDOWS\SYSTEM32\UBASFS.DLL
C:\WINDOWS\SYSTEM32\UMFOVQKO.DLL
C:\WINDOWS\SYSTEM32\WNWUNRBH.DLL
Adware.HotBar/ShopperReports (Low Risk)
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{100EB1FD-D03E-47FD-81F3-EE91287F9465}
Trojan.Unclassified/TestCPV
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}
Adware.Tracking Cookie
C:\Documents and Settings\Jim\Cookies\jim@winanonymous[2].txt
C:\Documents and Settings\Jim\Cookies\jim@statcounter[1].txt
C:\Documents and Settings\Jim\Cookies\jim@adultfriendfinder[1].txt
C:\Documents and Settings\Jim\Cookies\jim@pcprivacycleaner[1].txt
C:\Documents and Settings\Jim\Cookies\jim@secure.advancedcleaner[1].txt
C:\Documents and Settings\Jim\Cookies\jim@hitbox[2].txt
C:\Documents and Settings\Jim\Cookies\jim@adbrite[1].txt
C:\Documents and Settings\Jim\Cookies\jim@hornymatches[1].txt
C:\Documents and Settings\Jim\Cookies\jim@hotbar[2].txt
C:\Documents and Settings\Jim\Cookies\jim@zedo[2].txt
C:\Documents and Settings\Jim\Cookies\jim@rotator.adjuggler[2].txt
C:\Documents and Settings\Jim\Cookies\jim@tribalfusion[1].txt
C:\Documents and Settings\Jim\Cookies\jim@banners.battleon[1].txt
C:\Documents and Settings\Jim\Cookies\jim@specificclick[2].txt
C:\Documents and Settings\Jim\Cookies\jim@adportmedia[1].txt
C:\Documents and Settings\Jim\Cookies\jim@banners.mechquest[1].txt
C:\Documents and Settings\Jim\Cookies\jim@apmebf[1].txt
C:\Documents and Settings\Jim\Cookies\jim@bluestreak[1].txt
C:\Documents and Settings\Jim\Cookies\jim@ads.clicksor[2].txt
C:\Documents and Settings\Jim\Cookies\jim@77tracking[2].txt
C:\Documents and Settings\Jim\Cookies\jim@buycom.122.2o7[1].txt
C:\Documents and Settings\Jim\Cookies\jim@adopt.specificclick[2].txt
C:\Documents and Settings\Jim\Cookies\jim@kontera[2].txt
C:\Documents and Settings\Jim\Cookies\jim@server.iad.liveperson[2].txt
C:\Documents and Settings\Jim\Cookies\jim@antispywaresuite[1].txt
C:\Documents and Settings\Jim\Cookies\jim@myroitracking[2].txt
C:\Documents and Settings\Jim\Cookies\jim@precisionclick[2].txt
C:\Documents and Settings\Jim\Cookies\jim@doubleclick[1].txt
C:\Documents and Settings\Jim\Cookies\jim@cgm.adbureau[1].txt
C:\Documents and Settings\Jim\Cookies\jim@atlas.entrepreneur[1].txt
C:\Documents and Settings\Jim\Cookies\jim@list[1].txt
C:\Documents and Settings\Jim\Cookies\jim@login.tracking101[2].txt
C:\Documents and Settings\Jim\Cookies\jim@2adultflashgames[1].txt
C:\Documents and Settings\Jim\Cookies\jim@media.vlzserver[1].txt
C:\Documents and Settings\Jim\Cookies\jim@servedby.adxpower[1].txt
C:\Documents and Settings\Jim\Cookies\jim@clickbank[1].txt
C:\Documents and Settings\Jim\Cookies\jim@adnetserver[1].txt
C:\Documents and Settings\Jim\Cookies\jim@systemerrorfixer[1].txt
C:\Documents and Settings\Jim\Cookies\jim@trafficmp[1].txt
C:\Documents and Settings\Jim\Cookies\jim@servedby.adxpower[2].txt
C:\Documents and Settings\Jim\Cookies\jim@serve.clickbooth[1].txt
C:\Documents and Settings\Jim\Cookies\jim@ad.zanox[1].txt
C:\Documents and Settings\Jim\Cookies\jim@ads.mail[2].txt
C:\Documents and Settings\Jim\Cookies\jim@ads.addynamix[2].txt
C:\Documents and Settings\Jim\Cookies\jim@advertising[1].txt
C:\Documents and Settings\Jim\Cookies\jim@iacas.adbureau[2].txt
C:\Documents and Settings\Jim\Cookies\jim@da-tracking[3].txt
C:\Documents and Settings\Jim\Cookies\jim@adserver.easyad[1].txt
C:\Documents and Settings\Jim\Cookies\jim@stat.dealtime[2].txt
C:\Documents and Settings\Jim\Cookies\jim@hypertracker[1].txt
C:\Documents and Settings\Jim\Cookies\jim@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Jim\Cookies\jim@anad.tacoda[2].txt
C:\Documents and Settings\Jim\Cookies\jim@media.adrevolver[2].txt
C:\Documents and Settings\Jim\Cookies\jim@anat.tacoda[1].txt
C:\Documents and Settings\Jim\Cookies\jim@trustedantivirus[1].txt
C:\Documents and Settings\Jim\Cookies\jim@server.cpmstar[1].txt
C:\Documents and Settings\Jim\Cookies\jim@media.licenseacquisition[2].txt
C:\Documents and Settings\Jim\Cookies\jim@traffic.buyservices[1].txt
C:\Documents and Settings\Jim\Cookies\jim@media6degrees[1].txt
C:\Documents and Settings\Jim\Cookies\jim@perf.overture[1].txt
C:\Documents and Settings\Jim\Cookies\jim@fastclick[2].txt
C:\Documents and Settings\Jim\Cookies\jim@www.findstuff[1].txt
C:\Documents and Settings\Jim\Cookies\jim@sale.antispywaremaster[2].txt
C:\Documents and Settings\Jim\Cookies\jim@realmedia[2].txt
C:\Documents and Settings\Jim\Cookies\jim@atdmt[2].txt
C:\Documents and Settings\Jim\Cookies\jim@consumergain[2].txt
C:\Documents and Settings\Jim\Cookies\jim@adsrevenue[1].txt
C:\Documents and Settings\Jim\Cookies\jim@dealtime[1].txt
C:\Documents and Settings\Jim\Cookies\jim@advancedcleaner[1].txt
C:\Documents and Settings\Jim\Cookies\jim@media.adrevolver[1].txt
C:\Documents and Settings\Jim\Cookies\jim@sale.antispywaresuite[1].txt
C:\Documents and Settings\Jim\Cookies\jim@casalemedia[2].txt
C:\Documents and Settings\Jim\Cookies\jim@banners2.battleon[2].txt
C:\Documents and Settings\Jim\Cookies\jim@ads.revsci[1].txt
C:\Documents and Settings\Jim\Cookies\jim@www.googleadservices[1].txt
C:\Documents and Settings\Jim\Cookies\jim@ads.glispa[2].txt
C:\Documents and Settings\Jim\Cookies\jim@ads.vlaze[1].txt
C:\Documents and Settings\Jim\Cookies\jim@mediaplex[1].txt
C:\Documents and Settings\Jim\Cookies\jim@vhost.oddcast[2].txt
C:\Documents and Settings\Jim\Cookies\jim@gametracker[1].txt
C:\Documents and Settings\Jim\Cookies\jim@questionmarket[1].txt
C:\Documents and Settings\Jim\Cookies\jim@shop.winanonymous[1].txt
C:\Documents and Settings\Jim\Cookies\jim@secure.systemerrorfixer[2].txt
C:\Documents and Settings\Jim\Cookies\jim@toplist[1].txt
C:\Documents and Settings\Jim\Cookies\jim@www.2adultflashgames[1].txt
C:\Documents and Settings\Jim\Cookies\jim@2adultflashgames[3].txt
C:\Documents and Settings\Jim\Cookies\jim@ad.yieldmanager[1].txt
C:\Documents and Settings\Jim\Cookies\jim@int.sitestat[1].txt
C:\Documents and Settings\Jim\Cookies\jim@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\Jim\Cookies\jim@pacificpoker[1].txt
C:\Documents and Settings\Jim\Cookies\jim@ads4.blastro[1].txt
C:\Documents and Settings\Jim\Cookies\jim@revsci[1].txt
C:\Documents and Settings\Jim\Cookies\jim@aff.primaryads[1].txt
C:\Documents and Settings\Jim\Cookies\jim@ads.react2media[1].txt
C:\Documents and Settings\Jim\Cookies\jim@tacoda[1].txt
C:\Documents and Settings\Jim\Cookies\jim@ads.blizzard[1].txt
C:\Documents and Settings\Jim\Cookies\jim@tremor.adbureau[2].txt
C:\Documents and Settings\Jim\Cookies\jim@82.98.235[1].txt
C:\Documents and Settings\Jim\Cookies\jim@antispywaremaster[2].txt
C:\Documents and Settings\Jim\Cookies\jim@www8.addfreestats[1].txt
C:\Documents and Settings\Jim\Cookies\jim@banners.dragonfable[1].txt
C:\Documents and Settings\Jim\Cookies\jim@ads3.blastro[1].txt
C:\Documents and Settings\Jim\Cookies\jim@content.licenseacquisition[1].txt
C:\Documents and Settings\Jim\Cookies\jim@network.realmedia[1].txt
C:\Documents and Settings\Jim\Cookies\jim@adrevolver[2].txt
C:\Documents and Settings\Jim\Cookies\jim@ads.pointroll[2].txt
C:\Documents and Settings\Jim\Cookies\jim@dynamic.media.adrevolver[2].txt
C:\Documents and Settings\Jim\Cookies\jim@redirect.clickshield[1].txt
C:\Documents and Settings\Jim\Cookies\jim@6144.2850694.clickshield[1].txt
C:\Documents and Settings\Jim\Cookies\jim@247realmedia[1].txt
C:\Documents and Settings\Jim\Cookies\jim@insightexpressai[1].txt
C:\Documents and Settings\Jim\Cookies\jim@adultadworld[2].txt
C:\Documents and Settings\Jim\Cookies\jim@imrworldwide[1].txt
C:\Documents and Settings\Jim\Cookies\jim@adlegend[1].txt
C:\Documents and Settings\Jim\Cookies\jim@sexgamesfree[2].txt
C:\Documents and Settings\Jim\Cookies\jim@sale.trustedantivirus[1].txt
C:\Documents and Settings\Jim\Cookies\jim@da-tracking[2].txt
Adware.Zango Toolbar/Hb
HKCR\HbCoreSrv.DynamicProp
HKCR\HbCoreSrv.DynamicProp\CLSID
HKCR\HbCoreSrv.DynamicProp\CurVer
HKCR\HbCoreSrv.DynamicProp.1
HKCR\HbCoreSrv.DynamicProp.1\CLSID
C:\Documents and Settings\Jim\Application Data\Zango\IESkins
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\HostOI\dynamic
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\HostOI
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\HostOL\dynamic
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\HostOL
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\1.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\111532.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\1383918.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\1399517.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\1434935.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\2625397.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\3277710.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\3420554.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\3422001.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\3756141.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\3855615.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\3855674.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\600583.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\819382.sdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\domains.txt
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\ustat\3702.dat
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\ustat\3703.dat
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic\ustat
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\dynamic
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\avatar.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\btntrans.idx
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\btntrans1.dat
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\buttondir.txt
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\components.cdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\cursors.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\default.cdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_511745-514279.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_bidzC_ZT_IE-ca.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_bidzC_ZT_IE-us.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_categorize.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_comparison.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_explorer-Mails.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_explorer-people.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_favorites.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_Games.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_Hide.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_hotbarcom.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_Hotmail.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_hsskin.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_jemster.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_jemsterie.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_jemsteruk.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_jobsearch.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_Mails.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_MobileSidewalk.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_new.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_premium.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_reun.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_ringtones.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_SearchBoxTrapper.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_searchfor.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_searchgo.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_weather.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Default_yellowpages.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_1000.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_2000.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_3000.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_bar.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_bbar1.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_logos.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_other.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\d_icons_weather.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\editblbuttons.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\email-def-511724-548964.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\email-def-511724-9595.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\email-t1-bg.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\icons2.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\ie_games_icon.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\ie_video.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\keywords.idx
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\keywords1.dat
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\layout.cdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\linkpathlegal.txt
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\progress.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\sales_buttons.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\sdfmodifier.xml
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\s_icons_buttons.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\t2_bg.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\theweb.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\top7.cdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\Top7_theweb.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\tsd_bg.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\zango_btn.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1\zango_ie_menu.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\1
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\avatar.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\btntrans.idx
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\btntrans1.dat
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\buttondir.txt
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\components.cdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\cursors.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\default.cdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_511745-514279.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_bidzC_ZT_IE-ca.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_bidzC_ZT_IE-us.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_categorize.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_comparison.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_explorer-Mails.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_explorer-people.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_favorites.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_Games.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_Hide.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_hotbarcom.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_Hotmail.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_hsskin.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_jemster.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_jemsterie.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_jemsteruk.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_jobsearch.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_Mails.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_MobileSidewalk.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_new.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_premium.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_reun.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_ringtones.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_SearchBoxTrapper.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_searchfor.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_searchgo.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_weather.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Default_yellowpages.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_1000.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_2000.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_3000.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_bar.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_bbar1.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_logos.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_other.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\d_icons_weather.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\editblbuttons.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\email-def-511724-548964.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\email-def-511724-9595.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\email-t1-bg.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\icons2.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\ie_games_icon.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\ie_video.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\keywords.idx
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\keywords1.dat
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\layout.cdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\linkpathlegal.txt
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\progress.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\sales_buttons.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\sdfmodifier.xml
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\s_icons_buttons.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\t2_bg.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\theweb.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\top7.cdf
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\Top7_theweb.mnu
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\tsd_bg.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\zango_btn.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2\zango_ie_menu.res
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\2
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\avatar.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans1.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\buttondir.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\cursors.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\default.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bar.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_logos.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_other.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\editblbuttons.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\icons2.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_video.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords1.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\layout.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\progress.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\sdfmodifier.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\t2_bg.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\top7.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_btn.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_ie_menu.xip
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static\DownLoad
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango\static
C:\Documents and Settings\Jim\Application Data\Zango\v3.0\Zango
C:\Documents and Settings\Jim\Application Data\Zango\v3.0
C:\Documents and Settings\Jim\Application Data\Zango
Adware.Zango/ShoppingReport
HKCR\CntntCntr.CntntDic
HKCR\CntntCntr.CntntDic\CLSID
HKCR\CntntCntr.CntntDic\CurVer
HKCR\CntntCntr.CntntDic.1
HKCR\CntntCntr.CntntDic.1\CLSID
HKCR\CntntCntr.CntntDisp
HKCR\CntntCntr.CntntDisp\CLSID
HKCR\CntntCntr.CntntDisp\CurVer
HKCR\CntntCntr.CntntDisp.1
HKCR\CntntCntr.CntntDisp.1\CLSID
HKCR\WeatherDPA.WeatherController
HKCR\WeatherDPA.WeatherController\CLSID
HKCR\WeatherDPA.WeatherController\CurVer
HKCR\WeatherDPA.WeatherController.1
HKCR\WeatherDPA.WeatherController.1\CLSID
HKCR\CLSID\{70880CE6-308C-4204-A89E-B266C3F7B7FA}
HKCR\CLSID\{70880CE6-308C-4204-A89E-B266C3F7B7FA}\LocalServer32
HKCR\CLSID\{70880CE6-308C-4204-A89E-B266C3F7B7FA}\ProgID
HKCR\CLSID\{70880CE6-308C-4204-A89E-B266C3F7B7FA}\Programmable
HKCR\CLSID\{70880CE6-308C-4204-A89E-B266C3F7B7FA}\TypeLib
HKCR\CLSID\{70880CE6-308C-4204-A89E-B266C3F7B7FA}\VersionIndependentProgID
HKCR\CLSID\{8C788AA2-7530-43BE-97B7-4D491F13BEA3}
HKCR\CLSID\{8C788AA2-7530-43BE-97B7-4D491F13BEA3}\Implemented Categories
HKCR\CLSID\{8C788AA2-7530-43BE-97B7-4D491F13BEA3}\Implemented Categories\{DF9D74B4-61F4-4815-ADC7-F9ABD5F065FD}
HKCR\CLSID\{9473559B-50FC-4A8A-829B-E152E8D6A307}
HKCR\CLSID\{9473559B-50FC-4A8A-829B-E152E8D6A307}\LocalServer32
HKCR\CLSID\{9473559B-50FC-4A8A-829B-E152E8D6A307}\ProgID
HKCR\CLSID\{9473559B-50FC-4A8A-829B-E152E8D6A307}\Programmable
HKCR\CLSID\{9473559B-50FC-4A8A-829B-E152E8D6A307}\TypeLib
HKCR\CLSID\{9473559B-50FC-4A8A-829B-E152E8D6A307}\VersionIndependentProgID
C:\Documents and Settings\Jim\Application Data\WeatherDPA\Weather\WeatherDPA\Weather_XML
C:\Documents and Settings\Jim\Application Data\WeatherDPA\Weather\WeatherDPA
C:\Documents and Settings\Jim\Application Data\WeatherDPA\Weather\WeatherStartup.xml
C:\Documents and Settings\Jim\Application Data\WeatherDPA\Weather
C:\Documents and Settings\Jim\Application Data\WeatherDPA
Adware.180solutions/Seekmo/Zango
C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS\NPCLNTAX_ZANGOSA.DLL
D:\SETUP(2).EXE
D:\SETUP.EXE
D:\ZANGO\BIN\10.3.65.0\CNTNTCNTR.DLL
D:\ZANGO\BIN\10.3.65.0\FIREFOX\EXTENSIONS\PLUGINS\NPCLNTAX_ZANGOSA.DLL
D:\ZANGO\BIN\10.3.65.0\HOSTIE.DLL
D:\ZANGO\BIN\10.3.65.0\HOSTOE.DLL
D:\ZANGO\BIN\10.3.65.0\HOSTOL.DLL
D:\ZANGO\BIN\10.3.65.0\OEADDON.EXE
D:\ZANGO\BIN\10.3.65.0\SRV.EXE
D:\ZANGO\BIN\10.3.65.0\TOOLBAR.DLL
D:\ZANGO\BIN\10.3.65.0\WEATHER.EXE
D:\ZANGO\BIN\10.3.65.0\WESKIN.DLL
D:\ZANGO\BIN\10.3.65.0\ZANGOSA.EXE
D:\ZANGO\BIN\10.3.65.0\ZANGOSAAX.DLL
D:\ZANGO\BIN\10.3.65.0\ZANGOSADF.EXE
D:\ZANGO\BIN\10.3.65.0\ZANGOSAHOOK.DLL
D:\ZANGO\BIN\10.3.65.0\ZANGOUNINSTALLER.EXE
Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\CGCBDKJN.DLL
Trojan.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\DNCXPV.DLL
C:\WINDOWS\SYSTEM32\GNDGDP.DLL
C:\WINDOWS\SYSTEM32\GQYLOS.DLL
C:\WINDOWS\SYSTEM32\QGYADI.DLL
C:\WINDOWS\SYSTEM32\QPWEVN.DLL
C:\WINDOWS\SYSTEM32\QYPXUL.DLL
C:\WINDOWS\SYSTEM32\TAUSAW.DLL
C:\WINDOWS\SYSTEM32\UIURUV.DLL
C:\WINDOWS\SYSTEM32\VGIPYT.DLL
C:\WINDOWS\SYSTEM32\WDUYHE.DLL
C:\WINDOWS\SYSTEM32\XADNFK.DLL
Unclassified.Unknown Origin
C:\WINDOWS\SYSTEM32\FWLWGSKF.DLL
C:\WINDOWS\SYSTEM32\JZABBE.DLL
Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP
|
AfterDawn Addict
|
24. July 2008 @ 02:40 |
Link to this message
|
Hey lawyerjim,
I?ve been going over your Logs and there are still a few things that need to be done.
I got confused about the SuperAntiSpyware thing. I was looking for a SDFix log and just got mixed up, my bad.. ; p
So far you have deleted a huge amount of Adware and some Trojans.
If you will help me by removing some of the trash left in the HJT log it would really help me to analyze the situation a little easier..
Please do the following:
Fix entries using HiJackThis
Launch HiJackThis
Click the Do a system scan only button
Put a check next to the entries listed below (if they still remain)
O2 - BHO: (no name) - {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} - (no file)
O2 - BHO: (no name) - {0C1E7C0C-731A-4D32-81DF-F8E543CC515E} - (no file)
O2 - BHO: (no name) - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - (no file)
O2 - BHO: (no name) - {13F537F0-AF09-11d6-9029-0002B31F9E59} - (no file)
O2 - BHO: (no name) - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - (no file)
O2 - BHO: (no name) - {1C3DBE98-0102-0DF8-571B-5200B6C28B9B} - (no file)
O2 - BHO: (no name) - {2d8e5bfb-0cb4-4306-8b6e-f56d857332cf} - (no file)
O2 - BHO: (no name) - {3101968F-6388-4AE3-B4F7-B032EBE84908} - (no file)
O2 - BHO: (no name) - {5A44119A-2FA0-40EF-9B95-45B751F0D203} - C:\WINDOWS\system32\efcDTNge.dll (file missing)
O2 - BHO: (no name) - {773275d5-4fc7-4b12-8f7f-62902bbdec32} - (no file)
O2 - BHO: (no name) - {79513ED2-95DE-4C93-AD50-786C46F33F83} - C:\WINDOWS\system32\vtUmNgDW.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8069CE89-0BE4-414F-A66A-07707E4EB50D} - (no file)
O2 - BHO: (no name) - {87862E26-BDA0-4A78-B94C-86BCB9428A6F} - (no file)
O2 - BHO: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
O2 - BHO: (no name) - {9afdf9ff-5fd3-4c1d-a131-8d521959562b} - (no file)
O2 - BHO: (no name) - {A9AF6784-1235-408D-8927-657A64D804C9} - C:\WINDOWS\system32\xxyyyASI.dll (file missing)
O2 - BHO: (no name) - {B77BD50E-9383-454E-B6AE-8CF6673A6E7A} - C:\WINDOWS\system32\ssqPijjh.dll (file missing)
O2 - BHO: (no name) - {C5F573EC-F335-483B-99B8-8706BA1F8DA7} - (no file)
O2 - BHO: (no name) - {c688407d-b4b8-44eb-8149-542854193db8} - (no file)
O2 - BHO: (no name) - {cf35f031-b21a-4cf2-bb3e-4dcfa4c4625e} - (no file)
O2 - BHO: (no name) - {F3C77DCA-FA4C-4941-8F9F-31D9228AFCD6} - (no file)
O2 - BHO: (no name) - {F424072E-082C-4171-82E6-4F76711119D5} - (no file)
O20 - Winlogon Notify: hGvTlJCR - hGvTlJCR.dll (file missing)
IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
Click the Fix checked button and close HiJackThis.
Please Post back with a fresh HijackThis Log and we?ll take it from there.
Lawyerjim, I will be working Thru, Fri and Sat. I usually put in 40 to 45 hours in 3 days so, after tonight, I may not be able to do much until Sunday evening.. But, I?ll be back?. ; )
Thanks,
2oG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...This message has been edited since posting. Last time this message was edited on 24. July 2008 @ 02:42
|
|
lawyerjim
Junior Member
|
24. July 2008 @ 03:28 |
Link to this message
|
I completely understand your time constraints and appreciate your help.
Here is the new Hijack This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:55 AM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 74.208.105.45 l2testauthd.lineage2.com
O1 - Hosts: 74.208.105.45 l2authd.lineage2.com
O1 - Hosts: 216.107.250.194 nprotect.lineage2.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\KWorld Multimedia\PVR Plus\TVR\Scheduled.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [1c99d0a8] rundll32.exe "C:\WINDOWS\system32\euadficf.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BM1faae334] Rundll32.exe "C:\WINDOWS\system32\tpgxfcld.dll",s
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Jim\Application Data\Microsoft\Windows\rayiou.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - ?p=ZCfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jim\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://gunfighter.wildwestonline.com
O15 - Trusted Zone: http://www.wildwestonline.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1161833594468
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.com:88/renderer/mabiweb.2007.4.4.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} -
O20 - AppInit_DLLs: jyaywaxg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: jkkKddcd - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - D:\Maya\docs\wrapper.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - D:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 8961 bytes
|
AfterDawn Addict
|
24. July 2008 @ 04:09 |
Link to this message
|
Hey lawyerjim, good work?.
It?s starting to shape up?.. Little by little. ; p
The 2 files you mentioned that you were getting errors from:
cmd.exe and find.exe are processes associated with Microsoft Windows Operating System from Microsoft Corporation and not readily available for download on the internet..
I still haven?t got an answer but I?m working on it..
Do you have an XP disk or a recovery disk with XP system files on it????
If you have an XP disk we can get those files off it to replace the damaged ones.
That is, damaged or placed there by one of the Trojans??
The Vundo Trojan is the one that worries me because it can dig in so deep..
Let?s dig it out??..
Please turn off your Avast Antivirus while doing the next instructions.. It can interfere..
I don?t see a Firewall except maybe windows, but we?ll deal with that later..
Download ComboFix from Here to your Desktop.
? Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
? Double click combofix.exe and follow the prompts.
? When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.
Again, a fresh HijackThis Log and the Combofix log in the next post, please.
We?ll get there???.
2oG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...This message has been edited since posting. Last time this message was edited on 24. July 2008 @ 04:14
|
|
lawyerjim
Junior Member
|
24. July 2008 @ 14:38 |
Link to this message
|
Here is the ComboFix Log:
ComboFix 08-07-23.5 - Jim 2008-07-24 11:00:50.1 - NTFSx86
Running from: C:\Documents and Settings\Jim\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Jim\Application Data\.#
C:\Documents and Settings\Jim\My Documents\SSEMBL~1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\agmpjpkj.ini
C:\WINDOWS\system32\avrgbopc.dll
C:\WINDOWS\system32\bgiirgsr.ini
C:\WINDOWS\system32\bmiuehpo.ini
C:\WINDOWS\system32\bpusustv.dll
C:\WINDOWS\system32\byajreyg.dll
C:\WINDOWS\system32\crgfjybh.ini
C:\WINDOWS\system32\daurwlau.dll
C:\WINDOWS\system32\defhvfvo.dll
C:\WINDOWS\system32\didulgcw.ini
C:\WINDOWS\system32\egNTDcfe.ini
C:\WINDOWS\system32\egNTDcfe.ini2
C:\WINDOWS\system32\esfgoghs.dll
C:\WINDOWS\system32\etliowil.dll
C:\WINDOWS\system32\faleiddm.dll
C:\WINDOWS\system32\fcifdaue.ini
C:\WINDOWS\system32\gfjuhwhr.ini
C:\WINDOWS\system32\gixgjkum.dll
C:\WINDOWS\system32\hhjsoked.ini
C:\WINDOWS\system32\hjjiPqss.ini
C:\WINDOWS\system32\hjjiPqss.ini2
C:\WINDOWS\system32\hpfobtlr.ini
C:\WINDOWS\system32\hpqyicew.dll
C:\WINDOWS\system32\hrroewas.dll
C:\WINDOWS\system32\hyuaykbp.dll
C:\WINDOWS\system32\ifsgludt.ini
C:\WINDOWS\system32\ISAyyyxx.ini
C:\WINDOWS\system32\ISAyyyxx.ini2
C:\WINDOWS\system32\jwfxjksq.ini
C:\WINDOWS\system32\jyaywaxg.dll
C:\WINDOWS\system32\kbdgcbio.ini
C:\WINDOWS\system32\ktjigspo.ini
C:\WINDOWS\system32\ktuxxtix.ini
C:\WINDOWS\system32\laoagnkf.ini
C:\WINDOWS\system32\ljepammm.dll
C:\WINDOWS\system32\lnqcicdj.dll
C:\WINDOWS\system32\louxxref.ini
C:\WINDOWS\system32\lubjbabw.dll
C:\WINDOWS\system32\mpkljuhk.dll
C:\WINDOWS\system32\mypbduje.dll
C:\WINDOWS\system32\nefivtfp.dll
C:\WINDOWS\system32\nibckxnj.dll
C:\WINDOWS\system32\ohbhulso.dll
C:\WINDOWS\system32\oirwehul.dll
C:\WINDOWS\system32\pblgueny.ini
C:\WINDOWS\system32\pdqnddqv.dll
C:\WINDOWS\system32\pnoaqnrh.dll
C:\WINDOWS\system32\pqupyrqj.ini
C:\WINDOWS\system32\psqtasit.dll
C:\WINDOWS\system32\qalpnxgh.dll
C:\WINDOWS\system32\qfofyyfp.dll
C:\WINDOWS\system32\qmilur.dll
C:\WINDOWS\system32\qslgufac.ini
C:\WINDOWS\system32\rjxxcmel.dll
C:\WINDOWS\system32\rsfogosq.ini
C:\WINDOWS\system32\sgwydc.dll
C:\WINDOWS\system32\slqvfntt.dll
C:\WINDOWS\system32\snniwlfp.ini
C:\WINDOWS\system32\sswsstqd.ini
C:\WINDOWS\system32\tmqcyggu.ini
C:\WINDOWS\system32\uijeug.dll
C:\WINDOWS\system32\ujeadinp.ini
C:\WINDOWS\system32\uvmktqda.ini
C:\WINDOWS\system32\vajyntpp.dll
C:\WINDOWS\system32\vkorxdbj.ini
C:\WINDOWS\system32\vloqfx.dll
C:\WINDOWS\system32\vmcvuadw.ini
C:\WINDOWS\system32\vodtwpun.ini
C:\WINDOWS\system32\vteixfqx.ini
C:\WINDOWS\system32\WDgNmUtv.ini
C:\WINDOWS\system32\WDgNmUtv.ini2
C:\WINDOWS\system32\wtnapobw.dll
C:\WINDOWS\system32\wwgkufhf.dll
C:\WINDOWS\system32\xeurhafe.ini
C:\WINDOWS\system32\xkmroqif.ini
C:\WINDOWS\system32\xlhpurng.dll
C:\WINDOWS\system32\xsgnylwl.dll
C:\WINDOWS\system32\yinradbq.dll
C:\WINDOWS\system32\ymfjgjuv.dll
C:\WINDOWS\system32\ymvllgjn.ini
C:\WINDOWS\system32\ytigrpax.ini
C:\WINDOWS\system32\yynrranc.dll
.
((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.
2008-07-23 18:15 . 2008-07-23 18:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-23 18:08 . 2008-07-20 14:37 <DIR> d-------- C:\SDFix
2008-07-23 16:07 . 2008-07-23 16:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-23 16:07 . 2008-07-23 16:07 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\Malwarebytes
2008-07-23 16:07 . 2008-07-23 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-23 16:07 . 2008-07-20 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-23 16:07 . 2008-07-20 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-23 15:48 . 2004-08-04 02:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-07-23 15:48 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-07-23 15:48 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-07-23 15:48 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-07-23 15:48 . 2004-08-04 00:29 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-07-23 15:48 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-07-23 15:48 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-07-23 15:48 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-07-23 15:47 . 2004-08-04 00:29 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-07-23 15:47 . 2004-08-04 02:56 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-07-23 15:46 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2008-07-23 15:46 . 2002-08-29 00:59 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-07-23 15:46 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-07-23 15:46 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2008-07-23 15:46 . 2002-08-29 05:00 41,600 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.dll
2008-07-23 15:46 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-07-23 15:46 . 2002-08-29 05:00 31,232 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.sys
2008-07-23 15:46 . 2004-08-04 01:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-07-23 15:44 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-07-23 15:43 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-07-23 15:41 . 2001-08-17 14:56 147,200 --a--c--- C:\WINDOWS\system32\dllcache\smidispb.dll
2008-07-23 15:40 . 2001-08-17 22:36 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-07-23 15:39 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-07-23 15:38 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-07-23 15:37 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-07-23 15:36 . 2001-08-17 12:50 198,144 --a--c--- C:\WINDOWS\system32\dllcache\nv3.sys
2008-07-23 15:36 . 2001-08-17 22:36 123,776 --a--c--- C:\WINDOWS\system32\dllcache\nv3.dll
2008-07-23 15:36 . 2001-08-17 12:20 54,528 --a--c--- C:\WINDOWS\system32\dllcache\opl3sax.sys
2008-07-23 15:36 . 2001-08-17 12:49 51,552 --a--c--- C:\WINDOWS\system32\dllcache\ntgrip.sys
2008-07-23 15:36 . 2001-08-17 22:36 38,912 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_ntfsdrv.dll
2008-07-23 15:36 . 2004-08-04 01:00 28,672 --a--c--- C:\WINDOWS\system32\dllcache\nscirda.sys
2008-07-23 15:36 . 2001-08-17 13:47 9,344 --a--c--- C:\WINDOWS\system32\dllcache\ntapm.sys
2008-07-23 15:36 . 2001-08-17 13:53 7,552 --a--c--- C:\WINDOWS\system32\dllcache\nsmmc.sys
2008-07-23 15:33 . 2004-08-04 01:09 49,024 --a--c--- C:\WINDOWS\system32\dllcache\mstape.sys
2008-07-23 15:33 . 2004-08-04 01:00 22,016 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
2008-07-23 15:33 . 2001-08-17 13:48 12,416 --a--c--- C:\WINDOWS\system32\dllcache\msriffwv.sys
2008-07-23 15:33 . 2001-08-17 14:00 2,944 --a--c--- C:\WINDOWS\system32\dllcache\msmpu401.sys
2008-07-23 15:32 . 2001-08-17 14:02 35,200 --a--c--- C:\WINDOWS\system32\dllcache\msgame.sys
2008-07-23 15:32 . 2001-08-17 13:52 17,280 --a--c--- C:\WINDOWS\system32\dllcache\mraid35x.sys
2008-07-23 15:32 . 2001-08-17 13:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2008-07-23 15:32 . 2001-08-17 13:48 6,016 --a--c--- C:\WINDOWS\system32\dllcache\msfsio.sys
2008-07-23 15:30 . 2001-08-17 22:36 242,176 --a--c--- C:\WINDOWS\system32\dllcache\kdsusd.dll
2008-07-23 15:29 . 2004-08-04 02:56 152,576 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2008-07-23 15:29 . 2001-08-17 22:36 90,200 --a--c--- C:\WINDOWS\system32\dllcache\io8ports.dll
2008-07-23 15:29 . 2004-08-04 01:00 87,424 --a--c--- C:\WINDOWS\system32\dllcache\irda.sys
2008-07-23 15:29 . 2001-08-17 12:12 45,632 --a--c--- C:\WINDOWS\system32\dllcache\ip5515.sys
2008-07-23 15:29 . 2001-08-17 13:50 38,784 --a--c--- C:\WINDOWS\system32\dllcache\io8.sys
2008-07-23 15:29 . 2001-08-17 13:52 16,000 --a--c--- C:\WINDOWS\system32\dllcache\ini910u.sys
2008-07-23 15:29 . 2001-08-17 13:47 13,056 --a--c--- C:\WINDOWS\system32\dllcache\inport.sys
2008-07-23 15:29 . 2004-08-04 00:59 5,504 --a--c--- C:\WINDOWS\system32\dllcache\intelide.sys
2008-07-23 15:27 . 2001-08-17 13:28 542,879 --a--c--- C:\WINDOWS\system32\dllcache\hsf_msft.sys
2008-07-23 15:26 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-07-23 15:25 . 2001-08-17 12:15 455,680 --a--c--- C:\WINDOWS\system32\dllcache\fus2base.sys
2008-07-23 15:24 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-07-23 15:23 . 2002-08-29 05:00 514,587 --a--c--- C:\WINDOWS\system32\dllcache\edb500.dll
2008-07-23 15:22 . 2001-08-17 12:12 117,760 --a--c--- C:\WINDOWS\system32\dllcache\e100b325.sys
2008-07-23 15:22 . 2001-08-17 12:12 50,719 --a--c--- C:\WINDOWS\system32\dllcache\e1000nt5.sys
2008-07-23 15:22 . 2001-08-17 12:12 19,594 --a--c--- C:\WINDOWS\system32\dllcache\e100isa4.sys
2008-07-23 15:20 . 2001-08-17 22:36 419,357 --a--c--- C:\WINDOWS\system32\dllcache\dgconfig.dll
2008-07-23 15:19 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-07-23 15:18 . 2001-08-17 13:28 714,698 --a--c--- C:\WINDOWS\system32\dllcache\cbmdmkxx.sys
2008-07-23 15:11 . 2002-08-29 05:00 66,594 --a--c--- C:\WINDOWS\system32\dllcache\c_864.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,594 --a--c--- C:\WINDOWS\system32\dllcache\c_862.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,594 --a--c--- C:\WINDOWS\system32\dllcache\c_858.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,594 --a--c--- C:\WINDOWS\system32\dllcache\c_720.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_870.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_708.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_28596.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_21025.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_20924.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_20880.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_20871.nls
2008-07-23 15:09 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-07-23 15:08 . 2001-08-17 14:55 382,592 --a--c--- C:\WINDOWS\system32\dllcache\atidrab.dll
2008-07-23 15:07 . 2001-08-17 14:07 56,960 --a--c--- C:\WINDOWS\system32\dllcache\aic78xx.sys
2008-07-23 15:07 . 2001-08-17 14:07 55,168 --a--c--- C:\WINDOWS\system32\dllcache\aic78u2.sys
2008-07-23 15:07 . 2001-08-17 12:11 27,678 --a--c--- C:\WINDOWS\system32\dllcache\ali5261.sys
2008-07-23 15:07 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\alifir.sys
2008-07-23 15:07 . 2001-08-17 22:37 24,576 --a--c--- C:\WINDOWS\system32\dllcache\agcgauge.ax
2008-07-23 15:07 . 2002-08-29 05:00 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt040d.dll
2008-07-23 15:07 . 2002-08-29 05:00 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0401.dll
2008-07-23 15:07 . 2001-08-17 13:52 12,800 --a--c--- C:\WINDOWS\system32\dllcache\aha154x.sys
2008-07-23 15:07 . 2001-08-17 22:36 5,632 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_adsiisex.dll
2008-07-23 14:50 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-07-23 11:17 . 2008-07-23 11:17 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-23 00:09 . 2002-04-24 17:35 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-23 00:09 . 2002-04-25 14:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sony Corporation
2008-07-23 00:09 . 2002-04-25 15:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-07-23 00:09 . 2008-07-23 00:09 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-20 21:16 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-07-20 21:16 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll
2008-07-20 21:16 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll
2008-07-20 21:16 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll
2008-07-20 21:16 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-07-20 21:16 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll
2008-07-20 21:16 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll
2008-07-20 21:14 . 2008-07-20 21:14 <DIR> d-------- C:\WINDOWS\Logs
2008-07-07 09:57 . 2008-07-07 09:57 1,273,375 --a------ C:\WINDOWS\WotLK-FF-enGB-downloader.exe
2008-07-07 09:57 . 2008-07-07 09:57 271,452 --a------ C:\WINDOWS\lulz.exe
2008-07-03 10:46 . 2008-07-03 10:46 <DIR> d-------- C:\Documents and Settings\Jim\.jnlp-applet
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 18:05 --------- d-----w C:\Program Files\Shareaza
2008-07-23 18:05 --------- d-----w C:\Documents and Settings\Jim\Application Data\Shareaza
2008-07-23 17:51 --------- d-----w C:\Program Files\Windows Live
2008-07-23 04:25 --------- d-----w C:\Documents and Settings\Jim\Application Data\Canon
2008-06-05 03:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-06-03 02:49 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-05-25 18:57 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-25 06:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-25 06:03 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-15 03:40 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
2006-02-09 02:35 119 -c--a-w C:\Documents and Settings\Jim\fixreg.reg
2005-05-14 00:12 217,073 -csha-r C:\WINDOWS\meta4.exe
2005-10-24 18:13 66,560 -csha-r C:\WINDOWS\MOTA113.exe
2005-07-14 19:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2005-02-28 20:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\nbj.exe" [2005-10-11 18:25 1961984]
"Steam"="d:\program files\steam\steam.exe" [2008-07-18 08:16 1271032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"DVDTray"="C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 01:58 65536]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [2002-10-10 09:19 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 17:22 7618560]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 17:22 86016]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 11:59 88107 C:\WINDOWS\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2006-06-01 17:22 1519616 C:\WINDOWS\system32\nwiz.exe]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-25 11:57 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jyaywaxg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.MJPG"= sonymjpg.dll
"vidc.ffds"= ffdshow.ax
"vidc.yv12"= yv12vfw.dll
"VIDC.XFR1"= xfcodec.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\BYOND\\bin\\byond.exe"=
"D:\\Xfire\\xfire.exe"=
"D:\\Program Files\\BYOND\\bin\\dreamseeker.exe"=
"D:\\mwodownloader.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9420:TCP"= 9420:TCP:RSP
"9756:TCP"= 9756:TCP:BitCometLite 9756 TCP
"9756:UDP"= 9756:UDP:BitCometLite 9756 UDP
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
Contents of the 'Scheduled Tasks' folder
"2008-07-24 16:15:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-24 18:14:43 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Mail.com - C:\Program Files\mail.com\mcalert.exe
HKLM-Run-SiS KHooker - C:\WINDOWS\System32\khooker.exe
HKLM-Run-CleanupProgram - C:\Sonysys\cleanup.exe
HKLM-Run-BJCFD - C:\Program Files\BroadJump\Client Foundation\CFD.exe
HKLM-Run-PVR Agent - C:\Program Files\KWorld Multimedia\PVR Plus\TVR\Scheduled.exe
HKLM-Run-1c99d0a8 - C:\WINDOWS\system32\euadficf.dll
HKLM-Run-BM1faae334 - C:\WINDOWS\system32\tpgxfcld.dll
HKLM-Run-SiS Tray - (no file)
HKLM-Run-windows auto update - (no file)
Notify-jkkKddcd - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Search Bar =
O8 -: &Search - ?p=ZCfox000
O9 -: {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jim\Start Menu\Programs\IMVU\Run IMVU.lnk
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.com:88/renderer/mabiweb.2007.4.4.cab
C:\WINDOWS\Downloaded Program Files\mabiweb.inf
C:\WINDOWS\Downloaded Program Files\mabiwebframe.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 11:14:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
"ImagePath"="\??\C:\Documents and Settings\Jim\Desktop\BotsHack-
[www.jadook.com]\SoRa.sys"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SoRa01]
"ImagePath"="\??\C:\Documents and Settings\Jim\Desktop\BotsHack-
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-07-24 11:32:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-24 18:31:49
Pre-Run: 3,351,552,000 bytes free
Post-Run: 4,659,814,400 bytes free
346 --- E O F --- 2008-05-16 05:52:59
Jim
|
|
lawyerjim
Junior Member
|
24. July 2008 @ 14:43 |
Link to this message
|
Here is the newest hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:19 AM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - ?p=ZCfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jim\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://gunfighter.wildwestonline.com
O15 - Trusted Zone: http://www.wildwestonline.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1161833594468
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.com:88/renderer/mabiweb.2007.4.4.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} -
O20 - AppInit_DLLs: jyaywaxg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - D:\Maya\docs\wrapper.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - D:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 8108 bytes
|
AfterDawn Addict
|
24. July 2008 @ 17:53 |
Link to this message
|
Hi lawyerjim,
I am leaving for a few days but I?ll be back..
Your Logs are looking better but will still need a little touching up..
Quote:
Do you have an XP disk or a recovery disk with XP system files on it????
Please?
If you use it in the next few days, be sure the firewall and AV are turned on..
If you have time in the next few days, you might re-run MalwareBytes? and ComboFix.
Do this the same way as instructed before and post the Logs.
This will give me some cleaner logs to look through and won?t be as hard on an old man.. ; )
Also, please tell me about any problems that you are now having??
Regards, see you in a few
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
lawyerjim
Junior Member
|
24. July 2008 @ 18:10 |
Link to this message
|
|
I used sfc.exe (scannow) and an XP disc and replaced the missing files that have popped up so far.
Explorer.exe now loads on startup like its supposed to and I can access everything I've tried such as control panel that I wasn't able to access before.
I am having no problems right now but I know there are things still lurking in the shadows.
I will send new logs tomorrow.
Thanks again
|
AfterDawn Addict
|
24. July 2008 @ 18:45 |
Link to this message
|
|
Hey, Hey
SFC is what I wanted you to run, but didn't so.. : (
You did good and I do want to look for signs that may come back to haunt you...
Thanks, CUL
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
AfterDawn Addict
|
27. July 2008 @ 11:30 |
Link to this message
|
Hi lawyerjim,
I said, I?ll be back?. And here I are. : ) lol
You know, Jim, this computer intrigues me as it has been a long time since I have seen a computer with this much malware installed on it and I would surly like to see it cleaned so that you don?t loose anything? I believe you are on the road of recovery so please hang in there?
Please delete the following lines (if they still exist) using Hijackthis:
O8 - Extra context menu item: &Search - ?p=ZCfox000
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} ?
O20 - AppInit_DLLs: jyaywaxg.dll
Then please send me the latest Logs from:
Malwarebytes? , SUPERAntiSpyware , and ComboFix Logs and If possible now that you may be able to run SDFix, that also. + the HJT Log
What a deal right?
I have the next 4 days off and will be able to go over these logs. We?ll clear up all loose ends and I will give you some of my recommendations and suggestions to block this malware and maintain a clean computer??
I?m gonna get a little shut-eye and hope to receive the logs soon?.
Regards,
2OG
P.S. Let me know how she's running now and if you're having any problems....
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...This message has been edited since posting. Last time this message was edited on 27. July 2008 @ 11:34
|
|
lawyerjim
Junior Member
|
27. July 2008 @ 21:47 |
Link to this message
|
The computer is working great with no problems so far.
Here is the Malwarebytes log:
Malwarebytes' Anti-Malware 1.23
Database version: 999
Windows 5.1.2600 Service Pack 2
2:22:39 PM 7/27/2008
mbam-log-7-27-2008 (14-22-39).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 146984
Time elapsed: 3 hour(s), 31 minute(s), 21 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091505.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091475.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091489.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091497.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091501.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091515.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091525.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091531.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091533.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091542.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091543.dll (Adware.Shopper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091545.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091546.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091547.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
|
|
lawyerjim
Junior Member
|
27. July 2008 @ 21:53 |
Link to this message
|
Here is the Combofix log:
ComboFix 08-07-23.5 - Jim 2008-07-27 18:30:53.2 - NTFSx86
Running from: C:\Documents and Settings\Jim\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 )))))))))))))))))))))))))))))))
.
2008-07-27 10:10 . 2008-07-27 10:11 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-23 18:15 . 2008-07-23 18:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-23 18:08 . 2008-07-27 10:36 <DIR> d-------- C:\SDFix
2008-07-23 16:07 . 2008-07-27 10:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-23 16:07 . 2008-07-23 16:07 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\Malwarebytes
2008-07-23 16:07 . 2008-07-23 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-23 16:07 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-23 16:07 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-23 15:48 . 2004-08-04 02:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-07-23 15:48 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-07-23 15:48 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-07-23 15:48 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-07-23 15:48 . 2004-08-04 00:29 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-07-23 15:48 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-07-23 15:48 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-07-23 15:48 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-07-23 15:47 . 2004-08-04 00:29 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-07-23 15:47 . 2004-08-04 02:56 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-07-23 15:46 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2008-07-23 15:46 . 2002-08-29 00:59 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-07-23 15:46 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-07-23 15:46 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2008-07-23 15:46 . 2002-08-29 05:00 41,600 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.dll
2008-07-23 15:46 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-07-23 15:46 . 2002-08-29 05:00 31,232 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.sys
2008-07-23 15:46 . 2004-08-04 01:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-07-23 15:44 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-07-23 15:43 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-07-23 15:41 . 2001-08-17 14:56 147,200 --a--c--- C:\WINDOWS\system32\dllcache\smidispb.dll
2008-07-23 15:40 . 2001-08-17 22:36 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-07-23 15:39 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-07-23 15:38 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-07-23 15:37 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-07-23 15:36 . 2001-08-17 12:50 198,144 --a--c--- C:\WINDOWS\system32\dllcache\nv3.sys
2008-07-23 15:36 . 2001-08-17 22:36 123,776 --a--c--- C:\WINDOWS\system32\dllcache\nv3.dll
2008-07-23 15:36 . 2001-08-17 12:20 54,528 --a--c--- C:\WINDOWS\system32\dllcache\opl3sax.sys
2008-07-23 15:36 . 2001-08-17 12:49 51,552 --a--c--- C:\WINDOWS\system32\dllcache\ntgrip.sys
2008-07-23 15:36 . 2001-08-17 22:36 38,912 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_ntfsdrv.dll
2008-07-23 15:36 . 2004-08-04 01:00 28,672 --a--c--- C:\WINDOWS\system32\dllcache\nscirda.sys
2008-07-23 15:36 . 2001-08-17 13:47 9,344 --a--c--- C:\WINDOWS\system32\dllcache\ntapm.sys
2008-07-23 15:36 . 2001-08-17 13:53 7,552 --a--c--- C:\WINDOWS\system32\dllcache\nsmmc.sys
2008-07-23 15:33 . 2004-08-04 01:09 49,024 --a--c--- C:\WINDOWS\system32\dllcache\mstape.sys
2008-07-23 15:33 . 2004-08-04 01:00 22,016 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
2008-07-23 15:33 . 2001-08-17 13:48 12,416 --a--c--- C:\WINDOWS\system32\dllcache\msriffwv.sys
2008-07-23 15:33 . 2001-08-17 14:00 2,944 --a--c--- C:\WINDOWS\system32\dllcache\msmpu401.sys
2008-07-23 15:32 . 2001-08-17 14:02 35,200 --a--c--- C:\WINDOWS\system32\dllcache\msgame.sys
2008-07-23 15:32 . 2001-08-17 13:52 17,280 --a--c--- C:\WINDOWS\system32\dllcache\mraid35x.sys
2008-07-23 15:32 . 2001-08-17 13:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2008-07-23 15:32 . 2001-08-17 13:48 6,016 --a--c--- C:\WINDOWS\system32\dllcache\msfsio.sys
2008-07-23 15:30 . 2001-08-17 22:36 242,176 --a--c--- C:\WINDOWS\system32\dllcache\kdsusd.dll
2008-07-23 15:29 . 2004-08-04 02:56 152,576 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2008-07-23 15:29 . 2001-08-17 22:36 90,200 --a--c--- C:\WINDOWS\system32\dllcache\io8ports.dll
2008-07-23 15:29 . 2004-08-04 01:00 87,424 --a--c--- C:\WINDOWS\system32\dllcache\irda.sys
2008-07-23 15:29 . 2001-08-17 12:12 45,632 --a--c--- C:\WINDOWS\system32\dllcache\ip5515.sys
2008-07-23 15:29 . 2001-08-17 13:50 38,784 --a--c--- C:\WINDOWS\system32\dllcache\io8.sys
2008-07-23 15:29 . 2001-08-17 13:52 16,000 --a--c--- C:\WINDOWS\system32\dllcache\ini910u.sys
2008-07-23 15:29 . 2001-08-17 13:47 13,056 --a--c--- C:\WINDOWS\system32\dllcache\inport.sys
2008-07-23 15:29 . 2004-08-04 00:59 5,504 --a--c--- C:\WINDOWS\system32\dllcache\intelide.sys
2008-07-23 15:27 . 2001-08-17 13:28 542,879 --a--c--- C:\WINDOWS\system32\dllcache\hsf_msft.sys
2008-07-23 15:26 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-07-23 15:25 . 2001-08-17 12:15 455,680 --a--c--- C:\WINDOWS\system32\dllcache\fus2base.sys
2008-07-23 15:24 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-07-23 15:23 . 2002-08-29 05:00 514,587 --a--c--- C:\WINDOWS\system32\dllcache\edb500.dll
2008-07-23 15:22 . 2001-08-17 12:12 117,760 --a--c--- C:\WINDOWS\system32\dllcache\e100b325.sys
2008-07-23 15:22 . 2001-08-17 12:12 50,719 --a--c--- C:\WINDOWS\system32\dllcache\e1000nt5.sys
2008-07-23 15:22 . 2001-08-17 12:12 19,594 --a--c--- C:\WINDOWS\system32\dllcache\e100isa4.sys
2008-07-23 15:20 . 2001-08-17 22:36 419,357 --a--c--- C:\WINDOWS\system32\dllcache\dgconfig.dll
2008-07-23 15:19 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-07-23 15:18 . 2001-08-17 13:28 714,698 --a--c--- C:\WINDOWS\system32\dllcache\cbmdmkxx.sys
2008-07-23 15:11 . 2002-08-29 05:00 66,594 --a--c--- C:\WINDOWS\system32\dllcache\c_864.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,594 --a--c--- C:\WINDOWS\system32\dllcache\c_862.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,594 --a--c--- C:\WINDOWS\system32\dllcache\c_858.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,594 --a--c--- C:\WINDOWS\system32\dllcache\c_720.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_870.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_708.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_28596.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_21025.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_20924.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_20880.nls
2008-07-23 15:11 . 2002-08-29 05:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_20871.nls
2008-07-23 15:09 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-07-23 15:08 . 2001-08-17 14:55 382,592 --a--c--- C:\WINDOWS\system32\dllcache\atidrab.dll
2008-07-23 15:07 . 2001-08-17 14:07 56,960 --a--c--- C:\WINDOWS\system32\dllcache\aic78xx.sys
2008-07-23 15:07 . 2001-08-17 14:07 55,168 --a--c--- C:\WINDOWS\system32\dllcache\aic78u2.sys
2008-07-23 15:07 . 2001-08-17 12:11 27,678 --a--c--- C:\WINDOWS\system32\dllcache\ali5261.sys
2008-07-23 15:07 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\alifir.sys
2008-07-23 15:07 . 2001-08-17 22:37 24,576 --a--c--- C:\WINDOWS\system32\dllcache\agcgauge.ax
2008-07-23 15:07 . 2002-08-29 05:00 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt040d.dll
2008-07-23 15:07 . 2002-08-29 05:00 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0401.dll
2008-07-23 15:07 . 2001-08-17 13:52 12,800 --a--c--- C:\WINDOWS\system32\dllcache\aha154x.sys
2008-07-23 15:07 . 2001-08-17 22:36 5,632 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_adsiisex.dll
2008-07-23 14:50 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-07-23 11:17 . 2008-07-23 11:17 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-23 00:09 . 2002-04-24 17:35 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-23 00:09 . 2002-04-25 14:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sony Corporation
2008-07-23 00:09 . 2002-04-25 15:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-07-23 00:09 . 2008-07-23 00:09 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-20 21:16 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-07-20 21:16 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll
2008-07-20 21:16 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll
2008-07-20 21:16 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll
2008-07-20 21:16 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-07-20 21:16 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll
2008-07-20 21:16 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll
2008-07-20 21:14 . 2008-07-20 21:14 <DIR> d-------- C:\WINDOWS\Logs
2008-07-07 09:57 . 2008-07-07 09:57 1,273,375 --a------ C:\WINDOWS\WotLK-FF-enGB-downloader.exe
2008-07-07 09:57 . 2008-07-07 09:57 271,452 --a------ C:\WINDOWS\lulz.exe
2008-07-03 10:46 . 2008-07-03 10:46 <DIR> d-------- C:\Documents and Settings\Jim\.jnlp-applet
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-24 20:18 --------- d-----w C:\Program Files\UltimateBet
2008-07-24 20:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-24 20:09 --------- d-----w C:\Program Files\Sony
2008-07-24 01:53 188,338 ----a-w C:\WINDOWS\java\Packages\EK1B1ZLB.ZIP
2008-07-23 18:05 --------- d-----w C:\Program Files\Shareaza
2008-07-23 18:05 --------- d-----w C:\Documents and Settings\Jim\Application Data\Shareaza
2008-07-23 17:51 --------- d-----w C:\Program Files\Windows Live
2008-07-23 04:25 --------- d-----w C:\Documents and Settings\Jim\Application Data\Canon
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-05 17:44 3,072 ----a-w C:\WINDOWS\system32\yutrjqxh.dll
2008-06-05 03:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-06-04 17:36 3,072 ----a-w C:\WINDOWS\system32\brerwmjq.dll
2008-06-03 02:49 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-02-15 03:40 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
2006-02-09 02:35 119 -c--a-w C:\Documents and Settings\Jim\fixreg.reg
2002-12-27 17:58 151,552 -c--a-w C:\WINDOWS\inf\i386\STBXPWIA.dll
2002-10-08 08:29 114,688 -c--a-w C:\WINDOWS\inf\i386\XP100.dll
2002-10-08 08:27 36,352 -c--a-w C:\WINDOWS\inf\i386\StbXpEXT.dll
2005-05-14 00:12 217,073 -csha-r C:\WINDOWS\meta4.exe
2005-10-24 18:13 66,560 -csha-r C:\WINDOWS\MOTA113.exe
2005-07-14 19:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2005-02-28 20:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.
((((((((((((((((((((((((((((( snapshot@2008-07-24_11.31.00.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-07-20 21:35:20 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-07-27 17:11:24 1,032,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-07-27 17:11:24 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-07-20 21:35:20 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-07-27 17:11:10 1,032,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-07-27 17:11:10 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-03-01 13:06:20 124,928 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll
+ 2008-03-01 13:06:21 347,136 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll
+ 2008-03-01 13:06:21 214,528 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll
+ 2008-03-01 13:06:21 133,120 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll
+ 2008-03-01 13:06:21 63,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\icardie.dll
+ 2008-02-29 08:55:23 70,656 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe
+ 2008-03-01 13:06:21 153,088 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll
+ 2008-03-01 13:06:21 230,400 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll
+ 2008-02-15 05:44:25 161,792 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll
+ 2008-03-01 13:06:22 383,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dll
+ 2008-03-01 13:06:22 384,512 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll
+ 2008-03-01 13:06:24 6,066,176 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieframe.dll
+ 2008-03-01 13:06:24 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll
+ 2008-03-01 13:06:25 267,776 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iertutil.dll
+ 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe
+ 2008-02-29 08:55:46 625,664 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
+ 2008-03-01 13:06:25 27,648 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll
+ 2008-03-01 13:06:26 459,264 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeeds.dll
+ 2008-03-01 13:06:26 52,224 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeedsbs.dll
+ 2008-03-02 01:36:30 3,591,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll
+ 2008-03-01 13:06:28 478,208 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll
+ 2008-03-01 13:06:28 193,024 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll
+ 2008-03-01 13:06:29 671,232 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll
+ 2008-03-01 13:06:29 102,912 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll
+ 2008-03-01 13:06:29 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\updspapi.dll
+ 2008-03-01 13:06:29 105,984 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll
+ 2008-03-01 13:06:30 1,159,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll
+ 2008-03-01 13:06:30 233,472 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll
+ 2008-03-01 13:06:31 826,368 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
- 2008-04-08 03:37:29 10,455 -c--a-w C:\WINDOWS\mozver.dat
+ 2008-07-26 17:08:11 11,091 -c--a-w C:\WINDOWS\mozver.dat
- 2006-08-16 11:58:05 100,352 ----a-w C:\WINDOWS\system32\6to4svc.dll
+ 2006-08-16 12:08:32 100,352 ----a-w C:\WINDOWS\system32\6to4svc.dll
- 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2008-05-15 23:24:43 1,152,888 ----a-w C:\WINDOWS\system32\aswBoot.exe
+ 2008-07-19 14:43:08 1,163,960 ----a-w C:\WINDOWS\system32\aswBoot.exe
- 2008-05-15 23:12:36 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
+ 2008-07-19 14:30:53 94,392 ----a-w C:\WINDOWS\system32\AvastSS.scr
- 2006-08-16 11:58:05 100,352 -c--a-w C:\WINDOWS\system32\dllcache\6to4svc.dll
+ 2006-08-16 12:08:32 100,352 -c--a-w C:\WINDOWS\system32\dllcache\6to4svc.dll
- 2008-03-01 13:06:20 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-04-23 04:16:28 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2004-08-04 06:14:14 138,496 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys
+ 2008-06-20 10:44:08 138,368 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys
- 2004-08-04 06:10:37 274,304 -c--a-w C:\WINDOWS\system32\dllcache\bthport.sys
+ 2008-06-13 13:10:50 272,128 -c--a-w C:\WINDOWS\system32\dllcache\bthport.sys
- 2008-02-20 05:32:43 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:36:11 147,968 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2008-03-01 13:06:21 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-03-01 13:06:21 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-03-01 13:06:21 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-04-23 04:16:28 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-03-01 13:06:21 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-04-23 04:16:28 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2008-02-29 08:55:23 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2008-03-01 13:06:21 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2008-03-01 13:06:21 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2008-02-15 05:44:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-04-20 05:07:51 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2008-03-01 13:06:22 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2008-03-01 13:06:24 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-04-23 04:16:28 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2008-03-01 13:06:25 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-04-23 04:16:28 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2008-02-29 08:55:46 625,664 -cs-a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-04-22 07:40:18 625,664 -cs-a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2008-03-01 13:06:25 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2004-08-04 07:56:42 294,400 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll
+ 2008-02-26 11:59:50 294,912 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll
- 2008-03-01 13:06:26 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2008-03-01 13:06:26 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2008-03-02 01:36:30 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-04-24 05:16:30 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-03-01 13:06:28 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-03-01 13:06:28 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-04-23 04:16:28 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-03-01 13:06:29 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-04-23 04:16:28 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2004-08-04 07:56:44 245,248 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll
+ 2008-06-20 17:36:11 245,248 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll
- 2008-03-01 13:06:29 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-04-23 04:16:28 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-03-01 13:06:29 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-10-29 22:43:03 1,287,680 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
- 2006-07-13 08:48:58 202,240 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
- 2007-10-30 16:53:32 360,832 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2008-06-20 10:44:42 360,960 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2006-08-16 09:37:30 225,664 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
+ 2008-06-20 09:32:39 225,920 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
- 2008-03-01 13:06:29 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-04-23 04:16:28 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2008-03-01 13:06:30 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-03-01 13:06:30 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-04-23 04:16:29 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2008-03-01 13:06:31 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-04-23 04:16:29 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:36:11 147,968 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2008-05-15 23:13:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
+ 2008-07-19 14:32:15 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
- 2008-05-15 23:16:06 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys
+ 2008-07-19 14:37:42 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys
- 2008-05-15 23:18:33 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
+ 2008-07-19 14:37:21 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
- 2008-05-15 23:15:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
+ 2008-07-19 14:33:42 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
- 2008-05-15 23:20:32 78,416 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys
+ 2008-07-19 14:35:18 78,416 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys
- 2008-05-15 23:14:11 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
+ 2008-07-19 14:32:36 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
- 2006-07-13 08:48:58 202,240 -c--a-w C:\WINDOWS\system32\drivers\rmcast.sys
+ 2008-05-08 12:28:49 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
- 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-03-01 13:06:21 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-04-23 04:16:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2008-02-29 08:55:23 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2008-03-01 13:06:21 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2008-03-01 13:06:21 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-04-20 05:07:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2008-03-01 13:06:24 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2008-03-01 13:06:25 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2007-11-21 00:52:38 2,884,992 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-25 03:21:00 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
- 2007-11-21 00:52:40 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-03-25 03:21:00 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-06-25 16:15:48 17,972,344 ----a-w C:\WINDOWS\system32\MRT.exe
- 2004-08-04 07:56:42 294,400 ----a-w C:\WINDOWS\system32\msctf.dll
+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
- 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2008-03-02 01:36:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-24 05:16:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-03-01 13:06:29 102,912 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-04-23 04:16:28 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2006-10-17 00:10:58 14,640 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2008-03-01 13:06:29 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-04-23 04:16:29 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-04-23 04:16:29 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
- 2008-07-24 18:11:26 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_53c.dat
+ 2008-07-28 01:20:19 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_53c.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\nbj.exe" [2005-10-11 18:25 1961984]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"DVDTray"="C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 01:58 65536]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [2002-10-10 09:19 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 17:22 7618560]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 17:22 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 07:38 78008]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 11:59 88107 C:\WINDOWS\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2006-06-01 17:22 1519616 C:\WINDOWS\system32\nwiz.exe]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-25 11:57 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.MJPG"= sonymjpg.dll
"vidc.ffds"= ffdshow.ax
"vidc.yv12"= yv12vfw.dll
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-07-18 08:16 1271032 d:\Program Files\Steam\steam.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\BYOND\\bin\\byond.exe"=
"D:\\Xfire\\xfire.exe"=
"D:\\Program Files\\BYOND\\bin\\dreamseeker.exe"=
"D:\\mwodownloader.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9420:TCP"= 9420:TCP:RSP
"9756:TCP"= 9756:TCP:BitCometLite 9756 TCP
"9756:UDP"= 9756:UDP:BitCometLite 9756 UDP
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
Contents of the 'Scheduled Tasks' folder
"2008-07-24 16:15:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-27 22:15:02 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Search Bar =
O9 -: {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jim\Start Menu\Programs\IMVU\Run IMVU.lnk
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.com:88/renderer/mabiweb.2007.4.4.cab
C:\WINDOWS\Downloaded Program Files\mabiweb.inf
C:\WINDOWS\Downloaded Program Files\mabiwebframe.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 18:35:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
"ImagePath"="\??\C:\Documents and Settings\Jim\Desktop\BotsHack-
[www.jadook.com]\SoRa.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\SoRa01]
"ImagePath"="\??\C:\Documents and Settings\Jim\Desktop\BotsHack-
.
Completion time: 2008-07-27 18:40:19
ComboFix-quarantined-files.txt 2008-07-28 01:39:12
ComboFix2.txt 2008-07-24 18:32:07
Pre-Run: 4,295,901,184 bytes free
Post-Run: 4,287,873,024 bytes free
455 --- E O F --- 2008-07-27 16:57:44
|
|
lawyerjim
Junior Member
|
27. July 2008 @ 21:56 |
Link to this message
|
Here is the SDFix log:
SDFix: Version 1.207
Run by Administrator on Sun 07/27/2008 at 10:17 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 10:28:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:b9,cd,61,5f,80,64,3d,75,df,36,43,68,a0,f8,f2,f0,55,0f,17,29,7f,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:0e9825f9
"s2"=dword:96cc195e
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:b9,cd,61,5f,80,64,3d,75,df,36,43,68,a0,f8,f2,f0,55,0f,17,29,7f,..
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\\Program Files\\BYOND\\bin\\byond.exe"="D:\\Program Files\\BYOND\\bin\\byond.exe:*:Enabled:byond"
"D:\\Xfire\\xfire.exe"="D:\\Xfire\\xfire.exe:*:Enabled:Xfire"
"D:\\Program Files\\BYOND\\bin\\dreamseeker.exe"="D:\\Program Files\\BYOND\\bin\\dreamseeker.exe:*:Enabled:Dream Seeker"
"D:\\mwodownloader.exe"="D:\\mwodownloader.exe:*:Enabled:BitCometLite"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
Remaining Files :
Files with Hidden Attributes :
Fri 13 May 2005 217,073 A.SHR --- "C:\WINDOWS\meta4.exe"
Mon 24 Oct 2005 66,560 A.SHR --- "C:\WINDOWS\MOTA113.exe"
Tue 22 Apr 2008 625,664 ..SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 4 Aug 2004 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed 18 Oct 2006 64,000 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Thu 14 Jul 2005 27,648 A.SHR --- "C:\WINDOWS\system32\AVSredirect.dll"
Sun 26 Jun 2005 616,448 A.SHR --- "C:\WINDOWS\system32\cygwin1.dll"
Tue 21 Jun 2005 45,568 A.SHR --- "C:\WINDOWS\system32\cygz.dll"
Wed 3 May 2006 163,328 A.SHR --- "C:\WINDOWS\system32\flvDX.dll"
Sun 25 Jan 2004 70,656 A.SHR --- "C:\WINDOWS\system32\i420vfw.dll"
Wed 21 Feb 2007 31,232 A.SHR --- "C:\WINDOWS\system32\msfDX.dll"
Mon 28 Feb 2005 240,128 A.SHR --- "C:\WINDOWS\system32\x.264.exe"
Sun 25 Jan 2004 70,656 A.SHR --- "C:\WINDOWS\system32\yv12vfw.dll"
Mon 7 Nov 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 26 Jun 2005 616,448 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygwin1.dll"
Tue 21 Jun 2005 45,568 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygz.dll"
Thu 5 Apr 2007 72,704 ..SHR --- "C:\Program Files\eRightSoft\SUPER\Setup.exe"
Sun 24 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Fri 14 Nov 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Fri 14 Nov 2003 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Mon 3 Jun 2002 84,992 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll"
Mon 3 Jun 2002 44,032 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll"
Mon 9 Dec 2002 73,766 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll"
Mon 9 Dec 2002 65,575 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll"
Sun 9 Jun 2002 36,864 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll"
Mon 3 Jun 2002 20,480 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll"
Mon 9 Dec 2002 102,437 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll"
Mon 9 Dec 2002 176,165 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll"
Mon 9 Dec 2002 208,935 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll"
Mon 9 Dec 2002 217,127 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll"
Sun 9 Jun 2002 40,448 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll"
Sat 3 Nov 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll"
Tue 10 Apr 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll"
Fri 20 Feb 2004 232,960 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll"
Sun 9 Jun 2002 525,824 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll"
Mon 9 Dec 2002 245,805 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll"
Mon 9 Dec 2002 45,093 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll"
Mon 9 Dec 2002 98,341 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll"
Mon 9 Dec 2002 94,247 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll"
Mon 9 Dec 2002 90,151 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll"
Mon 9 Dec 2002 102,439 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll"
Sun 9 Jun 2002 49,152 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT3.tmp"
Finished!
Jim
|
|
lawyerjim
Junior Member
|
27. July 2008 @ 22:03 |
Link to this message
|
Here is the hijackthis log, I ran Superantispyware but I forgot to save the log. I will run it again tonight,
Logfile of HijackThis v1.99.1
Scan saved at 6:43:36 PM, on 7/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\hijackthis\kota.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jim\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://gunfighter.wildwestonline.com
O15 - Trusted Zone: http://www.wildwestonline.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1161833594468
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.com:88/renderer/mabiweb.2007.4.4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - D:\Maya\docs\wrapper.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - D:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
|
|
lawyerjim
Junior Member
|
27. July 2008 @ 23:15 |
Link to this message
|
Here is the Superantispyware log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 07/27/2008 at 06:14 PM
Application Version : 4.1.1046
Core Rules Database Version : 3519
Trace Rules Database Version: 1509
Scan type : Complete Scan
Total Scan Time : 03:46:41
Memory items scanned : 332
Memory threats detected : 0
Registry items scanned : 6039
Registry threats detected : 0
File items scanned : 160585
File threats detected : 19
Adware.Tracking Cookie
C:\Documents and Settings\Jim\Cookies\jim@atdmt[2].txt
Trojan.Vundo-Variant/Small-V2
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\PDQNDDQV.DLL.VIR
Adware.180solutions/Seekmo/Zango
D:\SYSTEM VOLUME INFORMATION\_RESTORE{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091724.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091725.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091726.DLL
D:\SYSTEM VOLUME INFORMATION\_RESTORE{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091727.DLL
D:\SYSTEM VOLUME INFORMATION\_RESTORE{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091728.DLL
D:\SYSTEM VOLUME INFORMATION\_RESTORE{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091729.DLL
D:\SYSTEM VOLUME INFORMATION\_RESTORE{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091730.DLL
D:\SYSTEM VOLUME INFORMATION\_RESTORE{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091731.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091732.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091733.DLL
D:\SYSTEM VOLUME INFORMATION\_RESTORE{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091734.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091735.DLL
D:\SYSTEM VOLUME INFORMATION\_RESTORE{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091736.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091737.DLL
D:\SYSTEM VOLUME INFORMATION\_RESTORE{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091738.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091739.DLL
D:\SYSTEM VOLUME INFORMATION\_RESTORE{9064A718-8822-4594-9843-DDC9AD7DED22}\RP462\A0091740.EXE
|
AfterDawn Addict
|
28. July 2008 @ 02:20 |
Link to this message
|
Good job lawyerjim,
Congratulations, your logs look CLEAN
The only thing found in these last scans were infected Restore points and quarantined items, no problems or lurks.. note: Your HJT is out of date. I didn?t mention it because I don?t use it enough that I needed to. I tend to use ComboFix to locate and rid baddies. : )
Food for thought: Since you have programs on this computer that you don?t want to loose, consider setting a password for your Admin account and opening a Limited Account for your son. That way, if he screws up his account, it can always be deleted and a new account opened. Thereby not affecting your stuff in the Admin account. ; )
There are a few things you must do once you are completely clean:
1. Time for some housekeeping
Please download the OTMoveIt2 by OldTimer
? Save it to your desktop.
? Run the tool by clicking on the icon.
? Click the Cleanup button.
? The tools that we used as well as this one will be removed from your system.
2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
? Under Main "Select Files to Delete" choose: Select All.
? Click the Empty Selected button.
? If you use Firefox browser click Firefox at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? If you use Opera browser click Opera at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? Click Exit on the Main menu to close the program.
3. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them.
Please follow these steps to remove older version Java components and update:
? Download the latest version of Java Runtime Environment (JRE) 6 Update 7 and save it to your desktop.
? Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications..
? Click the Download button to the right.
? Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
? The page will refresh.
? Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
? Close any programs you may have running - especially your web browser.
? Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
? Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
? Click the Remove or Change/Remove button.
? Repeat as many times as necessary to remove each Java versions.
? Reboot your computer once all Java components are removed.
? Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
4. Now Set a New Restore Point to prevent possible reinfection from an old one.
Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
The easiest and safest way to do this is:
? Go to Start > Programs > Accessories > System Tools and click "System Restore".
? Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
? Then go to Start > Run and type: Cleanmgr
? Click "OK"
Select the drive you want to clean usually C:
Click OK
When it completes the scan:
? Click the "More Options" Tab.
? Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
5. Defragment your Hard Drive
1.Open My Computer.
2.Right-click the local disk volume that you want to defragment, and then click Properties.
3.On the Tools tab, click Defragment Now.
4.Click Defragment.
And here are some tips to reduce the potential for spyware infection in the future:
Install a Firewall
If you are not using a mechanical Firewall (Router with SPI) then, it is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, or out (calling home) and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Two good ones are are Comodo Free and Online Armor Personal Firewall
I have recently changed my firewall to Comodo, love it and highly recommend it..
Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
I have found that Avira AntiVir is about the best AV on the market (free or pay), IMHO, that is why I use and recommend it..
I strongly recommend installing the following applications:
? Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
? MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know Malware sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
If this isn't done first, the next reboot may take a VERY LONG TIME.
This is how to do it. First be sure you are signed in as a user with administrative privileges:
To Stop and Disable the DNS Client Service
Go to Start, Run and type Services.msc and click OK.
Under the Extended Tab, Scroll down and find this service.
DNS Client
Right-Click on the DNS Client Service. Choose Properties
Select the General tab. Click on the Stop button.
Click the Arrow-down tab on the right-hand side at the Start-up Type box.
From the drop-down menu, click on Manual
Click the Apply tab, then click OK
And also see TonyKlein's good advice
So how did I get infected in the first place?
Enjoy your clean computer. Any questions?
Ragards,
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
Advertisement
|
|
|
|
lawyerjim
Junior Member
|
29. July 2008 @ 23:03 |
Link to this message
|
|
The computer is working GREAT now.
Thank you so much for your help!
Jim
|
|
